(October 1997)
|
|
Firewalls (October 1997) |
Hello, I'd like to get your opinions of the security in place compared to the security of the redesign. Also, opinions on security in SNA/IBM environments, and risks. Security in the host today is accomplished through RACF, which defines user accounts, and specifies which resources the users can access. ---------------- My client has remote sites with various degrees of trust. Some remotes are part of the company, but not strictly controlled by IS as what they can or think they can do with their network. These sites are considered pretty secure, although not completely trusted. IS wants to have more control on what access they have to the corporate campus LAN. We have a firewall in place, which permits IS santioned IP applications to pass through. However, one of the requirements is SNA, with an AS400 located at the remote site connecting to an FEP with access to a mainframe located at the corporate site. The SNA is encapsulated into TCP and forwarded from the remote router to a corporate router, which de-encapsulates the TCP and forwards SNA onto the token ring. The firewall is currently set up to pass the DLSW TCP port number through, as long as the source and destination IP address are correct. The routers are set up to route IP. IPX, Appletalk, Vines, Decnet are not allowed to be bridged. Netbios is not passed through the DLSW tunnel either. We currently have the following: AS400 | (sna, token ring) | router dlsw peer (encapsulates sna into tcp, forwards tcp session to peer2) | FRAME RELAY NETWORK | | router, IP only | --LAN-- | firewall (permits dlsw tcp port 2065) | | CAMPUS Token ring | DLSW Peer2 Router (No bridging on interface to Campus Ring) | ring | IBM FEP, 3745 | IBM MAINFRAME Note that DLSW Peer2 router is inside the firewall. The interface that connects to the corporate campus Token ring does not have bridging enabled, so the SNA packets, when deencapsulated, do not get forwarded back onto that ring. They only get forwarded on to the FEP connected ring. There is no telnet access from outside the firewall to internal campus resources, without authentication at the firewall itself. There are other FEPs and FEP ring interfaces that connect directly to the campus token ring, which also connect to the MAINFRAME, for host access by people located on the campus network. There are some security risks, including denial of service attacks through excessive bridging packets, access to the FEP by anyone on a remote ring,... ----- We are considering a redesign. I'd like to get your opinions of the security in place compared to the security of the redesign. Also, opinions on security in SNA/IBM environments, and risks. AS400 | (sna, token ring) | router dlsw peer (encapsulates sna into tcp, forwards tcp session to peer2) | FRAME RELAY NETWORK | | router, IP dlsw peer | \ --LAN-- \ | ring firewall \ | FEP | CAMPUS Token ring As you can see, the dlsw will no longer be tunneled through the firewall. The connection to the FEP would be outside the firewall. Nothing else is on the fep ring. The dlsw peer router would have to be set up with specific addresses of remote routers that could establish dlsw connections to it. The only added threat is that the router which is configured with the peer is also outside the firewall. Someone could potentially bring another router up, telnet to and break into the dlsw peer router, configure themself, and have access to the fep. Thanks, ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ** Sami Mousa, FORE ATM(WAN) Certified ** ** International Network Services Office: (908)603-8541 x320 ** ** Network Systems Engineer e-mail: sami_mousa @ ins . com ** ** 120 Wood Ave South Pager: (888)896-4064 ** ** Suite #615 Fax: (908)548-5630 ** ** Iselin, New Jersey 08830 www.ins.com ** ============================================================================= "My statements in this message are personal opinions \ which may have no basis whatsoever in fact."
|